If it came with the install, you might want to replace it.
Are you on a menu driven system or can you just edit the conf file manually?
If it came with the install, you might want to replace it.
Are you on a menu driven system or can you just edit the conf file manually?
edit the config manually
When I renew there is a command to increase to 4096
Try updating these two lines:
ssl_ciphers CHACHA20:ECDSA+AESGCM:ECDHE+AESGCM:ECDSA+SHA384:ECDSA+SHA256:ECDHE+SHA384:ECDHE+SHA256:ECDSA:ECDHE:!3DES:!ADH:!AECDH:!AESCCM:!aNULL:!CAMELLIA:!DES:!DHE:!DSS:!eNULL:!EXP:!IDEA:!LOW:!MD5:!MEDIUM:!NULL:!PSK:!RC4:!SEED:!SHA1:!SRP;
ssl_ecdh_curve sect571r1:secp521r1:brainpoolP512r1:sect409r1:brainpoolP384r1:secp384r1;
Still get A+ but not 100% on key enchange and cipher strength
Will check your response tomorrow. Thanks you so much for your help.
I'm glad things went well.
But I don't understand this:
On OpenSSL 1.1.0
ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
returns:
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-CCM8
ECDHE-ECDSA-AES256-CCM
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-CCM8
DHE-RSA-AES256-CCM
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
But since you probably don't have an ECDSA cert, you can remove those lines.
ciphers CHACHA20:ECDSA+AESGCM:ECDHE+AESGCM:ECDSA+SHA384:ECDSA+SHA256:ECDHE+SHA384:ECDHE+SHA256:ECDSA:ECDHE:!3DES:!ADH:!AECDH:!AESCCM:!aNULL:!CAMELLIA:!DES:!DHE:!DSS:!eNULL:!EXP:!IDEA:!LOW:!MD5:!MEDIUM:!NULL:!PSK:!RC4:!SEED:!SHA1:!SRP;
returns:
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
Again remove ECDSA lines if you donât have that cert.
How are these lines weaker than your lines?
Unless the CHACHA20 at the top is causing the lower overall score.
Try it without it:
ciphers ECDSA+AESGCM:ECDHE+AESGCM:ECDSA+SHA384:ECDSA+SHA256:ECDHE+SHA384:ECDHE+SHA256:ECDSA:ECDHE:!3DES:!ADH:!AECDH:!AESCCM:!aNULL:!CAMELLIA:!DES:!DHE:!DSS:!eNULL:!EXP:!IDEA:!LOW:!MD5:!MEDIUM:!NULL:!PSK:!RC4:!SEED:!SHA1:!SRP;
Anyway, good night for now.
Those bars to the right aren't supposed to be 100% and are going to be removed in a future update because they're so confusing.
If you have an A+ you don't need to worry.
If you wants to get 100% and A+ , try my thread in this forum..
(However it's going to block several older devices from connecting to your server. Be warned.)
Thank you
Thanks for the link it was interesting.
I think I'm going to go with your suggestion.
I don't know what a ECDSA cert is but appreciate your help you have been great.
What is the version of the command above that I can use to test the command in a script without running into the limit on the number of times I can run it?
certbot certonly --staging --webroot -w /usr/local/www -d <domain_name> -d www.<domain_name>
It still will have a rate limit, however I think it's big enough for mistakes. (Unless you put the script on cronjob)
Thank you
what is the limit for staging ?30,000
What will I see to know it staged correctly?
It will show similiar congratulations messages, itâs just a certificate that arenât valid.(not signed by public CA)
The staging limits are here:
Certificate per domain: 30000 per week
Failed attempts: 60 per hour
Duplicate certificate: 30000 per week
Thank you
Is there an option to automate the initial certbot command so no user input is needed? Other command line options that I can use variables for?
certbot certonly --staging --webroot -w /usr/local/www -d ${HOST_NAME} -d ${HOST_NAME}
There are lots; you should be able to find them via certbot --help
. If you have a particular question that Certbot asks that you'd like to know a command-line equivalent for, please feel free to ask and we should be able to point you in the right direction.
certbot certonly --staging --webroot -w /usr/local/www -d ${HOST_NAME} -d ${HOST_NAME} --agree-tos -m ${EMAIL_NAME}
What is the option for âWould you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Letâs Encrypt project and the non-profit
organization that develops Certbot? Weâd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.â You have to answer yes/no.
I believe --eff-email
or --no-eff-email
will choose yes or no, respectively.
Thanks I missed that when viewing the help.
when executing this command with ${HOST_NAME} being replaced with my domain from a script I get this error
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
but when I run the command in certbot certonly --webroot -w /usr/local/www -d ${HOST_NAME} -d ${HOST_NAME} --agree-tos -m ${EMAIL_NAME}
it works and I get the congraulations message.
Any idea on what's wrong?
Why are you using it twice?
As for the "Connection refused" to staging problem...
Can you connect to staging with curl or wget?
I followed this instruction, maybe I misunderstood it.
âUse the webroot setting for certbot to install the certificates
certbot certonly --webroot -w /usr/local/www -d <domain_name> -d www.<domain_name>â